SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mirai (Back to overview)

Mirai


There is no description at this point.

References
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2017-03-29ImpervaDima Bekerman
@online{bekerman:20170329:new:e4007ca, author = {Dima Bekerman}, title = {{New Mirai Variant Launches 54 Hour DDoS Attack against US College}}, date = {2017-03-29}, organization = {Imperva}, url = {https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html}, language = {English}, urldate = {2020-01-05} } New Mirai Variant Launches 54 Hour DDoS Attack against US College
Mirai
2017-02-21Kaspersky LabsGReAT
@online{great:20170221:newish:1c13271, author = {GReAT}, title = {{New(ish) Mirai Spreader Poses New Risks}}, date = {2017-02-21}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/}, language = {English}, urldate = {2019-12-20} } New(ish) Mirai Spreader Poses New Risks
Mirai
2017-02-10Twitter (@PhysicalDrive0)@PhysicalDrive0
@online{physicaldrive0:20170210:mirai:51440a0, author = {@PhysicalDrive0}, title = {{Tweet on Mirai Windows Version}}, date = {2017-02-10}, organization = {Twitter (@PhysicalDrive0)}, url = {https://twitter.com/PhysicalDrive0/status/830070569202749440}, language = {English}, urldate = {2019-07-09} } Tweet on Mirai Windows Version
Mirai
Yara Rules
[TLP:WHITE] win_mirai_auto (20210616 | Detects win.mirai.)
rule win_mirai_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mirai."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d8d84feffff e8???????? 8b8decfdffff 81c1ac000000 e8???????? 8985d8fdffff 6a00 }
            // n = 7, score = 100
            //   8d8d84feffff         | lea                 ecx, dword ptr [ebp - 0x17c]
            //   e8????????           |                     
            //   8b8decfdffff         | mov                 ecx, dword ptr [ebp - 0x214]
            //   81c1ac000000         | add                 ecx, 0xac
            //   e8????????           |                     
            //   8985d8fdffff         | mov                 dword ptr [ebp - 0x228], eax
            //   6a00                 | push                0

        $sequence_1 = { ff15???????? 85c0 787d 8b762c 85f6 7412 8b4610 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   787d                 | js                  0x7f
            //   8b762c               | mov                 esi, dword ptr [esi + 0x2c]
            //   85f6                 | test                esi, esi
            //   7412                 | je                  0x14
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]

        $sequence_2 = { eb30 33db eb35 837c241800 759a 0fb610 0fb69a98ff6d00 }
            // n = 7, score = 100
            //   eb30                 | jmp                 0x32
            //   33db                 | xor                 ebx, ebx
            //   eb35                 | jmp                 0x37
            //   837c241800           | cmp                 dword ptr [esp + 0x18], 0
            //   759a                 | jne                 0xffffff9c
            //   0fb610               | movzx               edx, byte ptr [eax]
            //   0fb69a98ff6d00       | movzx               ebx, byte ptr [edx + 0x6dff98]

        $sequence_3 = { ffb550f7ffff 8b8540f8ffff 8b80a8000000 8b8d40f8ffff 8b89a8000000 8b00 ff5020 }
            // n = 7, score = 100
            //   ffb550f7ffff         | push                dword ptr [ebp - 0x8b0]
            //   8b8540f8ffff         | mov                 eax, dword ptr [ebp - 0x7c0]
            //   8b80a8000000         | mov                 eax, dword ptr [eax + 0xa8]
            //   8b8d40f8ffff         | mov                 ecx, dword ptr [ebp - 0x7c0]
            //   8b89a8000000         | mov                 ecx, dword ptr [ecx + 0xa8]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   ff5020               | call                dword ptr [eax + 0x20]

        $sequence_4 = { eb2c 83ff2f 7527 6a00 33d2 8bce e8???????? }
            // n = 7, score = 100
            //   eb2c                 | jmp                 0x2e
            //   83ff2f               | cmp                 edi, 0x2f
            //   7527                 | jne                 0x29
            //   6a00                 | push                0
            //   33d2                 | xor                 edx, edx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_5 = { e8???????? 8bcf 8be8 e8???????? 03e8 8bce 2bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   8be8                 | mov                 ebp, eax
            //   e8????????           |                     
            //   03e8                 | add                 ebp, eax
            //   8bce                 | mov                 ecx, esi
            //   2bcb                 | sub                 ecx, ebx

        $sequence_6 = { eb04 8b742428 85ff 7427 6a00 57 68???????? }
            // n = 7, score = 100
            //   eb04                 | jmp                 6
            //   8b742428             | mov                 esi, dword ptr [esp + 0x28]
            //   85ff                 | test                edi, edi
            //   7427                 | je                  0x29
            //   6a00                 | push                0
            //   57                   | push                edi
            //   68????????           |                     

        $sequence_7 = { ff5008 50 8b45e4 8b00 8b4de4 ff10 50 }
            // n = 7, score = 100
            //   ff5008               | call                dword ptr [eax + 8]
            //   50                   | push                eax
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   ff10                 | call                dword ptr [eax]
            //   50                   | push                eax

        $sequence_8 = { e8???????? 83c410 8d85e8fbffff 50 8d8d64fbfeff e8???????? 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d85e8fbffff         | lea                 eax, dword ptr [ebp - 0x418]
            //   50                   | push                eax
            //   8d8d64fbfeff         | lea                 ecx, dword ptr [ebp - 0x1049c]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_9 = { 8b4df0 e8???????? 034514 034518 50 8b4df0 e8???????? }
            // n = 7, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   034514               | add                 eax, dword ptr [ebp + 0x14]
            //   034518               | add                 eax, dword ptr [ebp + 0x18]
            //   50                   | push                eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 7086080
}
Download all Yara Rules